Hongkong Post e-Cert
Home Contact Us Sitemap 繁體中文 简体中文 Text Mode
Concept of PKI
Electronic Transactions Ordinance
Hong Kong PKI Forum
Tips & Techniques for Web Surfing and Shopping
Frequently Asked Questions on e-Cert


E-Mice Solutions (HK) Limited

Hongkong Post

 
 
Frequently Asked Question on e-Cert

>> LATEST DEVELOPMENT OF HONGKONG POST E-CERT SERVICES

Contents

  1. HONGKONG POST CA
  2. PUBLIC KEY INFRASTRUCTURE (PKI)
  3. HONGKONG POST E-CERT SERVICES
  4. SUBMISSION OF CERTIFICATE SIGNING REQUEST (CSR) FOR E-CERT (SERVER)
  5. CENTRAL KEY GENERATION SERVICE FOR E-CERT
  6. TECHNICAL ISSUES
  7. REVOCATION OF CERTIFICATES
  8. DELETION AND RECOVERY ISSUES
  9. BACK-UP AND TRANSFER OF CERTIFICATE
  10. E-CERT FOR SMART ID CARD / CARD READER
  11. RENEWAL OF E-CERT (PERSONAL)
  12. E-CERT FILE CARD

A. HONGKONG POST CA

  1. WHY SHOULD I CHOOSE HONGKONG POST CA AS MY CERTIFICATION AUTHORITY?
  2. ARE THERE LAWS IN HONG KONG REGULATING DIGITAL SIGNATURES?
  3. WHAT IS THE MEANING OF "RELIANCE LIMIT" FOR THE E-CERT CERTIFICATE?
  4. RETIREMENT OF SUPERSEDED CERTIFICATION AUTHORITY SYSTEM

B. PUBLIC KEY INFRASTRUCTURE (PKI)

  1. WHAT IS ENCRYPTION ?
  2. WHAT IS PUBLIC KEY CRYPTOGRAPHY AND HOW DOES IT WORK?
  3. WHAT IS A CERTIFICATION AUTHORITY (CA)?
  4. WHAT IS A DIGITAL CERTIFICATE?
  5. WHAT IS THE HONGKONG POST E-CERT CERTIFICATE?
  6. WHAT IS A DIGITAL SIGNATURE AND HOW DOES IT WORK?
  7. WHAT IS HASH FUNCTION/VALUE?
  8. WHAT IS S/MIME ?
  9. WHY IS/ARE THERE AN S/MIME .P7M AND/OR S/MIME .P7S ATTACHMENT TO MY E-MAIL?
  10. WHAT IS A SECURE SOCKET LAYER (SSL)?
  11. HOW DO I SEND A SIGNED AND ENCRYPTED E-MAIL ?
  12. HOW CAN I OBTAIN SOMEONE ELSE'S DIGITAL CERTIFICATE (WITH PUBLIC KEY EMBEDDED) IN ORDER TO SEND HIM/HER AN ENCRYPTED E-MAIL?
  13. HOW DO I READ THE ENCRYPTED E-MAILS I RECEIVE?
  14. HOW DO I VERIFY THE DIGITAL SIGNATURES ON SIGNED MESSAGES I RECEIVE?
  15. HOW DO I KNOW IF THE E-MAIL I HAVE RECEIVED IS SIGNED OR ENCRYPTED?
  16. CAN I SEND SECURE E-MAIL TO SOMEONE WHO DOES NOT HAVE A DIGITAL CERTIFICATE?

C. HONGKONG POST E-CERT SERVICES

  1. DOES HONGKONG POST E-CERT SUPPORT CHINESE CHARACTERS?
  2. DOES HONGKONG POST E-CERT SUPPORT ELLIPTIC CURVE CRYPTOSYSTEM (ECC)?
  3. DOES HONGKONG POST E-CERT SUPPORT OBJECT SIGNING AND AUTHENTICODE?
  4. HOW STRONG IS HONGKONG POST E-CERT (SERVER)?
  5. CAN HONGKONG POST E-CERT CERTIFICATES BE USED INTERNATIONALLY?
  6. CAN I USE MY E-CERT WITH HOTMAIL OR OTHER SIMILAR E-MAIL SERVICES ?
  7. WHAT HAPPENS AFTER MY HONGKONG POST E-CERT CERTIFICATE EXPIRES?
  8. HOW MANY HONGKONG POST E-CERT CERTIFICATES CAN I APPLY FOR?
  9. HOW MUCH DOES A HONGKONG POST E-CERT CERTIFICATE COST?
  10. FOR HOW LONG ARE HONGKONG POST E-CERT CERTIFICATES VALID?
  11. CAN I CHANGE THE INFORMATION ON A CERTIFICATE?
  12. WHAT ARE THE KEY LENGTHS SUPPORTED BY HONGKONG POST CA?
  13. WHY DOES MY BROWSER FIRST HAVE TO ACCEPT THE HONGKONG POST ROOT CA CERTIFICATE?
  14. WHERE DO I DOWNLOAD THE PUBLIC KEY OF THE HONGKONG POST ROOT CA CERTIFICATE, AND HOW DO I INSTALL IT IN THE BROWSER?
  15. HOW DO I RETRIEVE A LOST OR ACCIDENTALLY DELETED E-CERT?
  16. WHY IS IT IMPORTANT TO MAKE A BACK-UP COPY OF MY HONGKONG POST E-CERT CERTIFICATE?
  17. CAN I USE ONE HONGKONG POST E-CERT CERTIFICATE FOR MULTIPLE E-MAIL ADDRESSES?
  18. WHAT ARE THE AUTHENTICATION PROCEDURES FOR HONGKONG POST E-CERT CERTIFICATES?
  19. WHY IS HONGKONG POST ISSUING DIGITAL CERTIFICATES TO MINORS?
  20. CAN I SEARCH HONGKONG POST E-CERT (ENCIPHERMENT) CERTIFICATE FROM THE HONGKONG POST DIRECTORY SERVER ?
  21. WHERE I CAN FIND THE TERMS AND CONDITIONS GOVERNING THE USE OF HONGKONG POST E-CERT CERTIFICATES?
  22. HOW TO SEARCH IN NETSCAPE THE CERTIFICATE OF OTHER PEOPLE WHO HAS TWO OR MORE E-CERT WITH THE SAME EMAIL ADDRESS?
  23. WHY MUST AN APPLICANT FOR E-CERT COMPLETE THE IDENTITY VERIFICATION PROCESS IN PERSON AT A POST OFFICE?
  24. CAN AN APPLICANT VISIT A POST OFFICE DURING LUNCH BREAK, OVER WEEKEND OR ON SUNDAY TO COMPLETE THE APPLICATION PROCESS?
  25. IF AN APPLICANT HAS QUESTIONS OF INSTALLING AN E-CERT, HOW CAN HE/SHE SEEK HELP?
  26. IS IT A PROPER ARRANGEMENT FOR HONGKONG POST TO DELIVER THE E-CERT FLOPPY DISK / E-CERT FILE CARD TO AN APPLICANT BY POST?
  27. CAN AN E-CERT BE USED ON COMPUTERS RUNNING LINUX OR MAC OPERATING SYSTEMS?

D. SUBMISSION OF CERTIFICATE SIGNING REQUEST (CSR) FOR E-CERT (SERVER)

  1. WHAT IS A CERTIFICATE SIGNING REQUEST (CSR)?
  2. HOW DO I GENERATE A CERTIFICATE SIGNING REQUEST (CSR)?
  3. WHAT SHOULD I PASTE INTO THE CERTIFICATE SIGNING REQUEST (CSR) TEXT BOX DURING THE E-CERT (SERVER) CSR SUBMISSION PROCESS?
  4. WHAT SHOULD I DO IF I DID NOT DOWNLOAD MY E-CERT (SERVER) IN THE LAST STEP OF THE CERTIFICATE SIGNING REQUEST (CSR) SUBMISSION PROCESS?

E. CENTRAL KEY GENERATION SERVICE FOR E-CERT

  1. WHAT IS CENTRAL KEY GENERATION SERVICE AND HOW DOES IT WORK?
  2. IS CENTRAL KEY GENERATION SERVICE APPLICABLE TO ALL TYPES OF E-CERT?
  3. ARE THERE ANY PROTECTIVE MEASURES TO SAFEGUARD THE PRIVATE KEY OF THE E-CERT CREATED UNDER THE CENTRAL KEY GENERATION SERVICE?
  4. WHICH VERSIONS OF INTERNET BROWSER CAN THE E-CERT FILE GENERATED UNDER THE CENTRAL KEY GENERATION SERVICE WORK WITH?
  5. IS THERE ANY TOOL OR PROGRAM THAT CAN BE USED TO CHANGE THE PASSWORD OF THE E-CERT FILE?
  6. IS THERE ANY RESTRICTION IN USING THE "CHANGE PASSWORD PROGRAM" SOFTWARE?
  7. HOW DOES THE "CHANGE PASSWORD PROGRAM" WORK?

F. TECHNICAL ISSUES

  1. SYSTEM REQUIREMENTS
  2. HOW DO I KNOW THAT MY HONGKONG POST E-CERT CERTIFICATE IS PROPERLY INSTALLED?
  3. WHAT SHOULD I DO IF MY PIN DOES NOT APPEAR TO WORK?
  4. WHY I AM GETTING AN 'EXPIRED CERTIFICATE' MESSAGE SHORTLY AFTER DOWNLOADING IT?
  5. I HAVE DELETED MY NETSCAPE NAVIGATOR AND INSTALLED THE LATEST VERSION. HOW DO I REINSTALL MY DIGITAL CERTIFICATE?
  6. HOW DO I KNOW I AM CONNECTED TO A SECURE SERVER ?
  7. HOW DO I GET 128-BIT / FULL-STRENGTH SESSIONS?
  8. WHAT DOMAIN NAME DO I USE ON MY SERVER CERTIFICATE REQUEST?
  9. WHICH FIELD INSIDE THE E-CERT (ENCIPHERMENT) CERTIFICATE CONTROLS THE USAGE PURPOSE OF THE KEY PAIR?
  10. THE KEY PAIR OF THE E-CERT (ENCIPHERMENT) WILL BE USED FOR ENCRYPTION AND DECRYPTION OF ELECTRONIC RECORDS. HOW DOES THIS KEY PAIR WORK?
  11. USING E-CERT IN THE CRYPTO TOOLS SOFTWARE

G. REVOCATION OF CERTIFICATES

  1. HOW DO I REVOKE MY HONGKONG POST E-CERT CERTIFICATE?
  2. WHY DO I NEED TO REVOKE MY CERTIFICATE BEFORE IT EXPIRES?
  3. HOW CAN I VERIFY THE STATUS OF MY REVOKED CERTIFICATE?

H. DELETION AND RECOVERY ISSUES

  1. IS THERE ANY WAY TO RECOVER MY HONGKONG POST E-CERT CERTIFICATE IF MY HARD DRIVE HAS CRASHED?
  2. WHAT SHOULD I DO IF MY COMPUTER HAS BEEN STOLEN TOGETHER WITH MY CERTIFICATE?
  3. SHOULD I DELETE MY EXPIRED OR REVOKED E-CERT?

I. BACK-UP AND TRANSFER OF CERTIFICATE

  1. HOW DO I SAVE A BACK-UP COPY OF MY DIGITAL CERTIFICATE?
  2. HOW DO I TRANSFER MY DIGITAL CERTIFICATE TO A NEW COMPUTER?

J. E-CERT FOR SMART ID CARD / CARD READER

K. RENEWAL OF E-CERT (PERSONAL)

  1. WHY SUBSCRIBERS OF E-CERT ON SMART ID CARD HAVE NOT RECEIVED THE RENEWAL NOTICE UPON THE EXPIRY OF E-CERT?
  2. WHAT IS THE DIFFERENCE BETWEEN "EXTENSION OF SUBSCRIPTION PERIOD" AND "RENEWAL"?
  3. HOW CAN SUBSCRIBERS RENEW THEIR E-CERT?
  4. WHAT IS THE VALIDITY PERIOD OF THE RENEWED E-CERT ON SMART ID CARD? WHAT IS THE RENEWAL FEE?
  5. CAN I PAY HK$150 FOR 3-YR SUBSCRIPTION FEES IN ONE GO?
  6. WHEN SUBMITTING A RENEWAL APPLICATION, WILL THE SUBSCRIBERS OF E-CERT ON SMART ID CARD BE ISSUED A NEW PIN ENVELOPE? IF SUBSCRIBERS REQUEST FOR A BACK-UP FLOPPY DISK OR A E-CERT FILE CARD, DO THEY NEED TO PAY EXTRA FOR THE BACK-UP FLOPPY DISK / E-CERT FILE CARD?
  7. UPON RECEIPT OF THE NEW PIN ENVELOPE AND FLOPPY DISK / E-CERT FILE CARD FOR THE RENEWED E-CERT ON SMART ID CARD, CAN THE SUBSCRIBER THROW AWAY THE OLD PIN ENVELOPE AND FLOPPY DISK / E-CERT FILE CARD?
  8. CAN I RENEW MY E-CERT ON SMART ID CARD BUT HAVE IT LOADED ONTO FLOPPY DISK / E-CERT FILE CARD ONLY INSTEAD OF SMART ID CARD?
  9. CAN THE RENEWED E-CERT BE STORED TOGETHER WITH THE EXISTING E-CERT THAT WAS STORED IN THE SMART ID CARD?
  10. I HAVE TWO E-CERT ON HAND BUT ONLY THE SMART ID CARD ONE WAS EXPIRED. CAN I LOAD THE OTHER E-CERT (PERSONAL) FROM FLOPPY DISK ONTO MY SMART ID CARD BY MYSELF?
  11. WHAT ARE THE CHANNELS FOR ENQUIRY?

L. E-CERT FILE CARD


A. Hongkong Post CA

A-1 Why should I choose Hongkong Post CA as my Certification Authority?

Hongkong Post Certification Authority is a recognised Certification Authority under the Electronic Transactions Ordinance, CAP 553. The Hongkong Post e-Cert certificates are recognised certificates issued by the Postmaster General of the Hong Kong Post Office in accordance with the requirements of the Electronic Transactions Ordinance and Code of Practice for Recognised Certification Authority. In addition, Hongkong Post CA conducts a strict authentication process for the verification of the identity of the subscribers providing the infrastructure for secure e-commerce. Details of authentication procedures are available from the Hongkong Post Certification Practice Statement (CPS) at www.hongkongpost.gov.hk

A-2 Are there laws in Hong Kong regulating digital signatures?

Yes, the Electronic Transactions Ordinance (Cap 553), was first enacted in January 2000 and amended in July 2004. The Ordinance is available for viewing at http://www.ogcio.gov.hk/eng/eto/eeto.htm

A-3 What is the meaning of "Reliance Limit" for the e-Cert certificate?

Reliance Limit means the monetary limit specified for reliance on a recognised certificate. The relevant sections of the Electronic Transactions Ordinance are Sections 41 and 42.

A-4 Retirement of Superseded Certification Authority System

In January 2004, Hongkong Post completed the Certification Authority (CA) system upgrade exercise, and the functions of the original CA system (OCA) operating under the OCA roots "Hongkong Post Root CA" and "Hongkong Post e-Cert CA" were taken over by the new CA system (NCA) operating under two NCA roots "Hongkong Post Root CA 1" and "Hongkong Post e-Cert CA 1".

Since 1 February 2004, the NCA has been issuing types of recognized certificates and the OCA has ceased to issue recognized certificates. As all recognized certificates issued by the OCA have a validity period of one year, all such certificates have expired by 1 February 2005, and therefore no recognized certificates issued by the OCA are still valid at present.

On 1 April 2005, the OCA retired and ceased to issue CRLs under the OCA roots "Hongkong Post Root CA" and "Hongkong Post e-Cert CA". The last CRL of the OCA was issued on 31 March 2005.

The retirement of the OCA does not affect the existing operation (including the publication of CRLs) of the NCA and services of the Hongkong Post Certification Authority. All recognized certificates and CRLs issued under both the OCA and NCA are still accessible at the existing repository.


B. Public Key Infrastructure (PKI)

B-1 What is Encryption ?

The concept of encryption is simple: a message is converted from the original (plain text) into another, incomprehensible form (cipher text) by means of a specified procedure (algorithm) and a key. The same key can then be used to decrypt the message to its original form. Knowledge of the encryption key is necessary to carry out decryption. With the encryption techniques in use today, the security of the system is critically dependent on the length of the key used for the encryption. As encryption algorithms are publicly available, it is through the complexity (i.e., its length) and the secrecy of the key that the strength of the encryption can be assured.

B-2 What is Public Key Cryptography and how does it work?

Public Key Cryptography or Asymmetric Cryptography forms the basis of digital signatures and Public Key Infrastructure. This technique makes use of a pair of mathematically related, but different keys - a private key and a public key. The private key is kept secret and is only accessible to its owner; the public key is intended for wide distribution. If one key is used to encrypt a message, then only the other key in the pair can be used to decrypt it. The public key can be used to verify a message signed with the private key, or to encrypt messages that can only be decrypted using the private key.

B-3 What is a Certification Authority (CA)?

A Certification Authority (CA) is an organisation that issues independently authenticated digital certificates for use by individuals or organisations.

B-4 What is a digital certificate?

A digital certificate is an electronic file issued and digitally signed by a Certification Authority, vouching for the identity of the certificate holder.

B-5 What is the Hongkong Post e-Cert certificate?

The Hongkong Post e-Cert certificate is a digital certificate that is issued, signed and managed by Hongkong Post Certification Authority (CA) and is X.509 v.3 compliant. Hongkong Post CA offers three different types of digital certificates:

  1. Hongkong Post e-Cert (Personal) Certificates: these are used in browsers and e-mail programmes so that users can prove their identity to third parties;
  2. Hongkong Post e-Cert (Organisational) Certificates: these are used by organisations, associations or Government departments which wantto issue an organisation-based certificate to their members/employees to conduct secure message transmission; and
  3. Hongkong Post e-Cert (Server) Certificates: these are to authenticate servers to users, thereby making it possible to communicate in Secure Socket Layer (SSL) messages.
  4. Hongkong Post e-Cert (Encipherment) Certificates : there are used for encryption and decryption of message for confidentiality purpose only. This type of certificate is not to be used for message signing like e-Cert (Personal) and e-Cert (Organisational).

B-6 What is a Digital Signature and how does it work?

A digital signature is a unique string of bits that is separately generated for each message, 'signed' by the private key of the sender, and appended to the message prior to being forwarded to the intended recipient. By verifying the signature through using the public key of the sender, the receiver will be able to confirm the identity of the sender and be certain that the message has not beenaltered during transmission. In this way, digital signatures provide:

  • Authentication : proof of identity of the parties to an electronic transaction;
  • Integrity: assurance that the contents of a message have not been tampered with or modified;
  • Non-repudiation: proof of agreement to the terms of the transaction and prevention of denial of commitment.

B-7 What is Hash Function/Value?

The technique of the hash function is to compute a short digest of a fixed length from any given message that represents the message content. The hash function makes it impossible to revert to the original message and computationally difficult to find any two messages that hash to the same result. MD5 and SHA-1 are common hash algorithms.

B-8 What is S/MIME ?

S/MIME (Secure/ Multipurpose Internet Mail Extensions) is a de facto standard for sending secure e-mail over the Internet. MIME is the industry standard format for electronic mail, which defines the structure of the message's body. S/MIME adds a secure feature to the MIME standard. E-mail applications that support S/MIME add digital signatures and encryption capabilities to that format. Standardisation of the secured message's format allows users to conduct private and authenticated communications, independent of the e-mail software they use, as long as this software is S/MIME compatible. You and your recipient must have public key certificates and S/MIME compatible e-mail applications in order to send and receive secured e-mail.

B-9 Why is/are there an S/MIME .p7m and/or S/MIME .p7s attachment to my e-mail?

S/MIME is the secure e-mail protocol and .p7m contains the encrypted message while .p7s is the digital signature file. If this is received as an attachment, there are 2 possibilities :-

  1. You may be using a web-based e-mail account. It is suggested that you change your e-mail account to a non web-based account;
  2. You may be using an e-mail client which is not S/MIME compatible and will not be able to verify the attached signature. It is suggested that you upgrade your e-mail client to the latest version (e.g., Microsoft Outlook 98/2000) or use another S/MIME compatible mail programme (e.g., Microsoft Outlook Express 5 or Netscape Messenger 4.7 or above).

B-10 What is a Secure Socket Layer (SSL)?

The SSL handshake protocol was developed by Netscape Communications Corporation to provide security and privacy over the Internet. The Protocol supports server and client authentication. The SSL Protocol is application independent, allowing protocols like HTTP (Hyper Text Transfer Protocol), FTP (File Transfer Protocol), and Telnet to be layered on top of it transparently. The SSL Protocol is able to negotiate encryption keys, as well as to authenticate the server before data are exchanged by the higher-levelapplication. The SSL Protocol maintains the security and integrity of the transmission channel by using encryption, authentication and session keys.

B-11 How do I send a signed and encrypted e-mail ?

For two parties to exchange signed and encrypted e-mail it is necessary that:

  • both parties correspond through S/MIME compatible e-mail programmes, AND
  • both parties have a digital certificate.

If the above conditions are fulfilled, the sender of a message can sign and encrypt messages with the options to "sign" and/or "encrypt" in his/her mail programme.

B-12 How can I obtain someone else's digital certificate (with public key embedded) in order to send him/her an encrypted e-mail?

To enable you to send an encrypted e-mail,

  • you need to ask your recipient to send you a signed e-mail and save the certificate in your address book; or
  • find a digital certificate from Hongkong Post's online e-Cert repository (directory) either by name or e-mail address, and then download your recipient's e-Cert.

B-13 How do I read the encrypted e-mails I receive?

If an e-mail message has been properly encrypted, i.e., with the public key corresponding to your private key, the encrypted message will be automatically decrypted for you (after you have entered your password for activating your private key) by your S/MIME compatible e-mail application and displayed to you as plain text.

B-14 How do I verify the digital signatures on signed messages I receive?

If your sender has included his/her public key certificate in the signed message, the digital signature on the message will be automatically verified by your S/MIME compatible e-mail application. In Netscape Messenger, a security icon saying "Signed" will be shown on the upper right corner of the message.

B-15 How do I know if the e-mail I have received is signed or encrypted?

For Netscape Messenger users: security enhanced messages have an icon in the upper-right corner, indicating that the message has been "signed", "encrypted" or "signed and encrypted".

B-16 Can I send secure e-mail to someone who does not have a digital certificate?

No, you cannot. In order to encrypt the e-mail message that you want to transmit, you will need to access the public key of the intended recipient. If the recipient is not in possession of a digital certificate, he/she will not have a public key. However, you can digitally sign messages to recipients whose e-mail applications support S/MIME. They will be able to verify your signature on the messages.


C. Hongkong Post e-Cert Services

C-1 Does Hongkong Post e-Cert support Chinese characters?

Currently, the technology adopted by Hongkong Post does not support Chinese characters. Hence, for the present,all Hongkong Post e-Cert certificates will be issued in English only.

C-2 Does Hongkong Post e-Cert Support Elliptic Curve Cryptosystem (ECC)?

ECC is not supported for the time being.

C-3 Does Hongkong Post e-Cert Support Object Signing and Authenticode?

Object signing and authenticode are not supported for the time being.

C-4 How strong is Hongkong Post e-Cert (Server)?

Hongkong Post e-Cert (Server) is as strong as you want it to be. If you generate a 1024-bit Certificate Signing Request (CSR) and submit it, we will sign it and you'll receive a 1024-bit certificate. Similarly, if you generate a 512-bit CSR, then you'll receive a 512-bit certificate.

C-5 Can Hongkong Post e-Cert Certificates be used internationally?

Hongkong Post e-Cert certificates are X.509 v3 compliant (an international standard) and can, therefore, be used internationally.

C-6 Can I use my e-Cert with Hotmail or other similar e-mail services ?

This is not possible. Web-based e-mail services such as Hotmail and Yahoo are not S/MIME compatible. For details, please see heading under S/MIME below.

C-7 What happens after my Hongkong Post e-Cert certificate expires?

When a Hongkong Post e-Cert certificate expires, it can no longer be used for secured e-mail. You should re-apply for a new e-Cert certificate.

C-8 How many Hongkong Post e-Cert certificates can I apply for?

As many as you like. There is no limit to the number of Hongkong Post e-Cert certificates you can apply for.

C-9 How much does a Hongkong Post e-Cert certificate cost?

The subscription fees for the four types of Hongkong Post e-Cert certificates are:
Type of Certificate Annual Fee (HK$)
Personal $50
Organisational $150 ($50 for a first-time subscriber)
(plus an administration fee of $150 per application)
Server $2,500
Encipherment $150
(plus an administration fee of $150 per application)

C-10 For how long are Hongkong Post e-Cert certificates valid?

  • The validity period of Hongkong Post e-Cert(Personal) and Hongkong Post e-Cert (Personal) for Smart ID Card is 3 years.
  • The validity period for e-Cert(Organizational), e-Cert(Encipherment) and e-Cert(Server) is 1 or 2 years.

C-11 Can I change the information on a certificate?

A digital certificate, once generated, cannot be changed. If you have changed any information on the certificate such as your name or your e-mail address, you must apply for a new certificate. You should also revoke your existing certificate.

C-12 What are the key lengths supported by Hongkong Post CA?

Hongkong Post CA supports certificates of any key length up to 2048 bits. Hongkong Post CA root certificates have 2048-bit keys.

C-13 Why does my browser first have to accept the Hongkong Post Root CA certificate?

The Hongkong Post Root CA certificate is not pre-installed in standard browsers. This means that you will have to load the Hongkong Post Root CA certificate into your browser yourself. You need this root certificate to validate a certificate issued by Hongkong Post CA.

C-14 Where do I download the public key of the Hongkong Post Root CA certificate, and how do I install it in the browser?

The Hongkong Post Root CA certificate is available for downloading under the heading of "Download Programs".

C-15 How do I retrieve a lost or accidentally deleted e-Cert?

If you lose your Hongkong Post e-Cert certificate, you must revoke your certificate immediately. In case you have accidentally deleted your certificate, you simply need to import the certificate from your back-up copy. If you do not have a back-up copy, you must submit a new application.

C-16 Why is it important to make a back-up copy of my Hongkong Post e-Cert certificate?

If you lose your certificate, and you do not have a back-up copy, you will lose access to all your old encrypted messages (as you will not have your private key which you need to decrypt these messages). It is absolutely essential, therefore, that you make a back-up copy of your certificate.

C-17 Can I use one Hongkong Post e-Cert certificate for multiple e-mail addresses?

Currently very few common browsers are capable of recognising multiple e-mail addresses on a single certificate. Therefore, Hongkong Post CA is adopting a policy of one e-mail address per certificate.

C-18 What are the authentication procedures for Hongkong Post e-Cert certificates?

Details of authentication procedures are available from the Hongkong Post Certification Practice Statement at www.hongkongpost.gov.hk.

C-19 Why is Hongkong Post issuing digital certificates to minors?

It is the vision of Hongkong Post to groom the younger generation to participate in secure electronic transactions and communications. If a certificate holder is a minor at the time of submitting his/her application, it will be shown on the certificate as "Hongkong Post e-Cert (Personal/Minor)". Relying parties are reminded that minors are not legallycapable of entering into contracts, and any such dealings may be declared null and void in the future.

C-20 Can I search Hongkong Post e-Cert (Encipherment) Certificate from the Hongkong Post directory server ?

Absolutely. Like other types of e-Cert, the e-Cert (Encipherment) Certificate will also be posted to the directory for public searching.

C-21 Where I can find the terms and conditions governing the use of Hongkong Post e-Cert certificates?

The Subscriber Agreement and the Certification Practice Statement, which can be obtained at any Post Office counter, show all details of the terms and conditions governing the use of Hongkong Post e-Cert certificates . The Certification Practice Statement can also be viewed at Hongkong Post CA web site at www.hongkongpost.gov.hk.

C-22 How to Search in Netscape the Certificate of Other People Who Has Two Or More e-Cert With The Same Email Address?

You have to specify the directory entry of Hongkong Post e-Cert Directory with more Distinguished Name (DN) information in the search field. An example of it is by entering "OU=0000920170,O=Hongkong Post e-Cert (Personal),C=HK" in the search root field to limit the search to e-Cert (Personal) and SRN=0000920170. For details, you may refer to the user guide of setting search field for the directory entry of Hongkong Post e-Cert Directory.

C-23 Why must an applicant for e-Cert complete the identity verification process in person at a post office?

e-Cert is a digital certificate that offers a safe and secure way to conduct online transactions. In processing an e-Cert application, Hongkong Post is required to verify the identity of the applicant. As a procedural safeguard in the interest of the applicant, it is necessary for the applicant to visit a post office to complete the face-to-face identity verification process and delivery of the PIN envelope before an e-Cert can be issued.

C-24 Can an applicant visit a post office during lunch break, over weekend or on Sunday to complete the application process?

Yes. All post offices will stay open during lunch hours. As for the General Post Office at Central and the Tsim Sha Tsui Post Office, public services are available on Saturday afternoon and on Sundays from 9:00 a.m. to 2:00 p.m. The opening hours of the post offices can be found at Hongkong Post's web site http://www.hongkongpost.gov.hk/product/e-Cert/office/index.html.

C-25 If an applicant has questions of installing an e-Cert, how can he/she seek help?

He/she can call the e-Cert Hotline at 2921 6633.

C-26 Is it a proper arrangement for Hongkong Post to deliver the e-Cert floppy disk /e-Cert File Card to an applicant by post?

Hongkong Post always place emphasis on the security aspects of e-Cert. Delivering the e-Cert floppy disk / e-Cert File Card by post is to save the applicants from making an additional visit to the post office to collect the e-Cert floppy disk / e-Cert File Card. As a security measure, the delivery of the e-Cert floppy disk / e-Cert File Card is made by recorded delivery which requires the applicant to sign for the receipt of the e-Cert floppy disk / e-Cert File Card. Furthermore, the use of an e-Cert requires a PIN, which is given to the applicant at the time of application.

C-27 Can an e-Cert be used on computers running Linux or Mac operating systems?

e-Cert can be used on the Windows operating system. The use of e-Cert on Linux and Mac operating systems will require installation of additional software plug-ins. You may contact the respective vendors of the Linux and Mac system for the details of the software plug-ins.


D. Submission of Certificate Signing Request (CSR) for e-Cert (Server)

D-1 What is a Certificate Signing Request (CSR)?

A Certificate Signing Request (CSR) is a request generated by your server which contains the information of your organisation and your public key. The Hongkong Post CA will generate your e-Cert (Server) based on your CSR.

D-2 How do I generate a Certificate Signing Request (CSR)?

You may refer to the User Guides for e-Cert (Server) Applicant for the procedures on how to generate a base64 encoded PKCS#10 CSR. Please make sure that the correct domain name (e.g. www.example.com) is entered in the "Common Name" field and "HK" in the "Country" field.

D-3 What should I paste into the Certificate Signing Request (CSR) text box during the e-Cert (Server) CSR submission process?

You should paste the entire content of the CSR including the lines "-----BEGIN NEW CERTIFICATE REQUEST-----" and "-----END NEW CERTIFICATE REQUEST-----" into the Certificate Signing Request (CSR) text box.

D-4 What should I do if I did not download my e-Cert (Server) in the last step of the Certificate Signing Request (CSR) submission process?

You can download your e-Cert (Server) from the Search and Download Certificate web page after a successful CSR submission process.


E. Central Key Generation Service for e-Cert

E-1 What is Central Key Generation Service and how does it work?

Hongkong Post generates the key pair (including the Private key and Public Key) of an e-Cert on behalf of the Subscriber and create the e-Cert. The key generation and e-Cert creation process is performed in a trustworthy manner and environment within Hongkong Post's premises to ensure that the key pair and e-Cert is not tampered with. The generated key pair and e-Cert will be protected by the Subscriber's own password and stored as an e-Cert file either in a floppy disk or a e-Cert File Card. The floppy disk / e-Cert File Card will be delivered to the Subscriber by registered mail. The Subscriber is required to open the e-Cert file by the password distributed to the Subscriber separately.

E-2 Is Central Key Generation Service applicable to all types of e-Cert?

The Central Key Generation Service is applicable to e-Cert (Personal), e-Cert (Organisational) and e-Cert (Encipherment) certificates. Subscribers who opt for this service should make the request and specify the collection/delivery arrangement at the time of application.

E-3 Are there any protective measures to safeguard the private key of the e-Cert created under the Central Key Generation Service?

Hongkong Post does NOT keep copy of the private key. The floppy disk / e-Cert File Card containing the e-Cert and the key pair is protected by a 16-digit PIN which is separately handed-over to the subscribers at the time of application. This PIN will also be required when importing the e-Cert into the Internet browser by the subscriber.

E-4 Which versions of Internet browser can the e-Cert file generated under the Central Key Generation Service work with?

The following are some common Internet browsers that are known to work with the e-Cert file generated under the Central Key Generation Service:

  • Microsoft Internet Explorer 5.01 with 128-bit High Encryption Pack
  • Microsoft Internet Explorer 5.5 or above
  • Mozilla Firefox 2.0 or above
  • Netscape Navigator 4.08 / Communicator 4.5 - 4.8
  • Netscape Navigator 7.0 or above

E-5 Is there any tool or program that can be used to change the password of the e-Cert file? 

For a quicker and easier way in changing the password of the e-Cert file, a "Change Password Program" is available for downloading from Hongkong Post CA web site. After downloading and simple installation, the program can then be ready for use.

E-6 Is there any restriction in using the "Change Password Program" software?

The "Change Password Program" software is designed for use by the Subscribers of Hongkong Post e-Cert in changing the password of the e-Cert file that is created and saved on a floppy disk or other storage media. It can only work in MS Windows 95 / 98 / ME / NT 4.0 / 2000 / XP / Vista platform.

E-7 How does the "Change Password Program" work?

The "Change Password Program" is a window-based software. It can facilitate the Subscriber to change the password of the e-Cert file easily. If successful, the e-Cert file in the floppy disk / other storage device will embed with the new password.


F. Technical Issues

F-1 System Requirements

The minimum system requirements are:

  • Pentium 133 or above (or compatible) with 32 MB RAM
  • Windows 95, Windows 98 or Windows NT
  • Netscape Navigator 4.08 / Communicator 4.5 (or above) or Microsoft Internet Explorer 5.01 with 128 bit high encryption (or above)
  • Hard disk free space : 100 MB

F-2 How do I know that my Hongkong Post e-Cert certificate is properly installed?

For Netscape Users:

  1. Open your Netscape browser;
  2. Click on the security icon (the one that looks like a padlock) from the main toolbar;
  3. Select Certificates > Yours from the menu on the left. Verify that your new e-Cert is listed in the personal certificates display.
  4. To view your e-Cert particulars, select it (e-Cert) and then click the 'view' button.

F-3 What should I do if my PIN does not appear to work?

You must type the PIN correctly, making sure that:

  1. the PIN includes all 16 digits,
  2. there are no spaces before, after, or within the PIN

If the problem persists, please contact the Hongkong Post CA Enquiry Hotline at 2921 6633.

F-4 Why I am getting an 'Expired Certificate' message shortly after downloading it?

This could happen because the system time of your PC is slower than that of our CA system. Our CA system uses the Global Position System (GPS) clock to stamp the certificate. To avoid this, all you need do is to wait for a while or correct your system clock.

F-5 I have deleted my Netscape Navigator and installed the latest version. How do I reinstall my digital certificate?

If you have removed your old copy of Netscape Navigator, you have also deleted the file that contains the private key associated with your e-Cert. Without that private key or a back-up copy, you cannot reinstall your e-Cert. You need to apply for a new one. Upgrading Navigator by using the Netscape installer preserves your personal information, including your e-Cert and private key.

F-6 How do I know I am connected to a secure server ?

Upon accessing a server secured with a Hongkong Post e-Cert (Server) certificate, the user will see a padlock at the bottom of his or her Internet Explorer browser or on the main toolbar of the Netscape browser. Clicking on the padlock will cause the details of the server's certificate to be displayed.

F-7 How do I get 128-bit / full-strength sessions?

Firstly, when you hear people speak of a 128-bit or 40-bit connection, they are referring to the "session key". This is a symmetric key created by the browser when it connects to the server that is used to encrypt AND decrypt data (transmitted to and from the server) after the initial browser/server "handshake". If your server supports full-strength sessions and the browser connecting to your site supports 128 bits, then a 128-bit session key will be created and used. Browsers that have been exported from the United States are limited to creating 40-bit session keys. Browsers that have been distributed within the US or manufactured by companies outside the US can create 128-bit session keys and thus connect to similarly manufactured and distributed servers in full-strength crypto. Outside the US, certain financial institutions and governmental organisations can apply for a Global Server Certificate, sometimes referred to as a "Step-up Server Certificate". Having one of these certificates installed on a server will guarantee a 128-bit connection with any browser, regardless of whether it is an "export" or "domestic" version.

F-8 What domain name do I use on my server certificate request?

Please be careful when choosing your domain name. You cannot change this information after the certificate is issued. The domain name should be the exact server name where the certificate will be installed. When a browser connects to your server, it will match the domain name to that on the certificate. If the names do not match, the browser will return an authentication error.

F-9 Which field inside the e-Cert (Encipherment) certificate controls the usage purpose of the key pair?

The "Key Usage" extension field specifies the usage of the key pair. For e-Cert (Encipherment), only the "Key Encipherment" bit and "Digital Signature" bit are set.

F-10 What is the usage of e-Cert (Encipherment)?

e-Cert (Encipherment) certificates are to be used only:

  1. to send encrypted electronic messages to the Subscriber Organisation;
  2. to permit the Subscriber Organisation to decrypt messages; and
  3. to permit the Subscriber Organisation to acknowledge receipt of the encrypted message by sending an acknowledgement with a digital signature added to it to confirm the identity of the receiving Subscriber Organisation.

Further, digital signatures generated by this class of certificate are only to be used to acknowledge the receipt of electronic messages in transactions which are not related to or connected with the payment of money on-line or the making of any investment on-line or the conferring on-line of any financial benefit on any person or persons or entities of whatsoever nature and under no circumstances are digital signatures generated by these certificates to be used to acknowledge the receipt of messages sent in connection with the negotiation or conclusion of a contract or any legally binding agreement.

F-11 Using e-Cert in the Crypto Tools software

The Crypto Tools (the Software) previously provided by the former i-Security Solutions Limited (the Company) has become unavailable for sales and/or distribution after the Company closed down in 2003. If you are using the Software for signing and encrypting documents with Hongkong Post e-Cert, you should note that Hongkong Post shall not accept any claims or liabilities whatsoever arising from the use or distribution of the Software or any information contained in this web page.

If you choose to continue using the Software, you may import the 2 new Hongkong Post CA certificates into the Software so that you can sign and encrypt by using the Software with e-Certs issued under the two CA certificates. The steps are as follows:-

  1. From the following URLs, download and save the two CA certificate files on a folder on your harddisk :-
  2. Start the Crypto Tools. At the menu bar, select "Certificates" and then select "Trusted CAs' certificates" from the pull-down menu.
  3. At the "Certificate Signers' Certificates" window, select the "Import CA certificate from file" button, and then follow the instructions displayed to import the "Hongkong Post Root CA 1" certificate (e.g. smartid_rt.cer) which you stored on your harddisk in step (a) above.
  4. Repeat step (c) to import the "Hongkong Post e-Cert CA 1" (e.g. smartid_ca.cer) which you stored on your harddisk in step (a) above.

G. Revocation of Certificates

G-1 How do I revoke my Hongkong Post e-Cert certificate?

A subscriber may submit a request to revoke her/his certificate at any time for any reason.Revocation requests can be made by the following methods:

  1. Sending a certificate revocation request by fax to 2775 9130 and the original of the revocation request by post.
  2. Sending a certificate revocation request by letter to Hongkong Post CA, PO Box 68777, Kowloon East Post Office.
  3. Sending a digitally signed e-mail to enquiry@hongkongpost.gov.hk
  4. Showing a revocation request in person at any post office with the same signature as on the original application form.

Suspensions and revocations of certificates will be effective only after they have been published in the Certificate Revocation List (CRL).
 
Personal Certificate Revocation Request

A personal certificate can only be revoked by the subscriber of that certificate.

Organisational Certificate Revocation Request

can be revoked by :

  1. A person nominated as an Authorised Representative for the organisation, whose signature appears on the application form as the authorised signature at the time of application, or;
  2. The person whose name appears on the certificate as the subscriber of that certificate.

Server e-Cert Revocation Request

A server certificate can be revoked by a person nominated as an Authorised Representative for the organisation, whose signature appears on the application form as the authorised signature at the time of application.

Encipherment e-Cert Revocation Request

An encipherment certificate can be revoked by a person nominated as an Authorised Representative for the organisation, whose signature appears on the application form as the authorised signature at the time of application.

Acknowledgement to the Subscriber/Authorised Representative

Based on a request by fax, Hongkong Post will place a "Hold" on the certificate, which effectively suspends, but does not revoke the certificate. The subscriber then has to send his/her original of the revocation request to Hongkong Post to complete the revocation process. In-person or digitally signed requests will be processed directly as immediate revocations without the "Hold" procedure. Hongkong Post will endeavour to issue a Notice of Revocation to such subscribers within one week following the request for revocation.

Business Hours for Processing Revocation Requests

Monday to Friday 9:00 a.m. to 5:00 p.m.

Saturday 9:00 a.m. to 12:00 noon

Sundays & Public Holidays 9:00 a.m. to 12:00 noon

On any weekday on which a tropical cyclone warning signal no. 8 (or above) or a black rainstorm warning signal is hoisted, Hongkong Post Certificate Authority will open at the usual time if the signal is lowered at or before 6 a.m. that day. If the signal is lowered between 6 a.m. and 10 a.m. or at 10 a.m., Hongkong Post Certificate Authority will open at 2:00 p.m. on any weekday, other than on a Saturday, Sunday and public holiday.

Service Pledge and Certificate Revocation List Update

  1. Hongkong Post will exercise reasonable endeavours to see that within 2 working days of (1) Hongkong Post receiving a revocation request from the Subscriber or (2) In the absence of such a request, the decision by Hongkong Post to suspend or revoke the certificate, the suspension or revocation is posted to the Certification Revocation List.
  2. However, a Certificate Revocation List is not published in the directory for access by the public following each certificate revocation. Only when the next Certificate Revocation List is updated and published will it reflect the revoked status of the certificate. [Certification Revocation Lists are published daily and are archived for 7 years.]

For the avoidance of doubt, all Saturdays, Sundays, public holidays and for all weekdays on which a tropical cycle and rainstorm warning signal is hoisted, are not working days.

G-2 Why do I need to revoke my certificate before it expires?

We strongly recommend that you revoke (cancel) your certificate if you suspect that your private key has been compromised, or you no longer wish to participate in the Hongkong Post Public Key Infrastructure.

G-3 How can I verify the status of my revoked certificate?

You can verify the status of your revoked Hongkong Post e-Cert certificate by pulling down the entire Hongkong Post CA Certification Revocation List (CRL) from the directory server at ldap.hongkongpost.gov.hk, which is updated everyday. The CRL on the directory server can only be read by using the LDAP protocol and you need a client software with LDAP capability, for example, the Crypto Tools bundled in the e-Cert Customer Kit. Alternatively, you can go to our web site and access the CRL at the following URL : http://crl1.hongkongpost.gov.hk/crl/e-CertCA1CRL1.crl. For users of Microsoft Windows with Internet Explorer 5.0 or above, when your open the CRL file, there will be a CRL pop up screen showing the list of revoked certificates in certificate serialnumber order. You may then locate the certificate by the certificate serial number. Please note that the revocation status of expired certificates will not be published in CRL.


H. Deletion and Recovery issues

H-1 Is there any way to recover my Hongkong Post e-Cert certificate if my hard drive has crashed?

A hard drive crash may delete the certificate in your computer. Once it has been lost, there is no way to retrieve it. You will first need to revoke your certificate, then enrol for a new one. You may also restore your back-up copy and import this copy into your browser.

H-2 What should I do if my computer has been stolen together with my certificate?

As your digital certificate is protected by a password, it is unlikely that anyone else will be able to use it to impersonate you. However, we strongly advise you to revoke your certificate immediately if your computer has been stolen and then enrol for a new one.

H-3 Should I delete my expired or revoked e-Cert?

You should not delete your expired or revoked e-Cert. By deleting a certificate, you will no longer have access to the public key associated with it and it will therefore no longer be possible to read encrypted messages with it.


I. Back-up and transfer of certificate

I-1 How do I save a back-up copy of my digital certificate?

Each browser has its own back-up procedures. For Netscape Users :

  1. Click on the security icon (the one that resembles a padlock) from the main toolbar,
  2. Select Certificates > Yours from the menu on the left,
  3. Select the e-Cert you intend to save and click Export,
  4. You will be prompted to choose a transport password which you will be asked for when importing or opening this copy of your e-Cert. Click OK,
  5. Select a location (such as your floppy disk) and file name in which to save your e-Cert. Click Save,
  6. Protect your floppy disk or other media and your transport password in a secure manner.
For Internet Explorer Users: 
  1. In your Internet Explorer browser, Click Tools from the pull-down menu and select Internet Options.
  2. In the Internet Options window, click on the tab Content and select Certificates.
  3. Select the Personal tab and click on the certificate to be exported. Then click on Export button.
  4. The Certificate Manager Export Wizard pops up. Read the information provided therein and click on Next button.
  5. Now you have to indicate if you want to export the private Key with your certificate. Select Yes, export the private key and click the Next button.
  6. Check the option Include all certificates in the certification path if possible.
  7. Uncheck the option Enable strong protection (requires IE 5.0, NT 5.0 or above) if you will use the exporting file on applications other than IE 5.0 or above.
  8. Click the Next button.
  9. Type in a password no less than 8-character length (you may select a new password if you wish) to protect the .PFX file. Then click Next
  10. You must now decide where to save the .PFX file. Locate and choose a directory for this file. Type a friendly name in the File name box. Click Next.
  11. In the popup, Export Wizard Window, Click Finish.
  12. Export is complete and click OK button.

I-2 How do I transfer my digital certificate to a new computer?

The first step for transferring your e-Cert is to save ("Export") it from the computer's hard drive onto a floppy disk or other transfer medium. When your e-Cert has been successfully exported, you can then import it into the new computer. To import your e-Cert into Netscape Navigator :

  1. Click on the security icon (the one that looks like a padlock) from the main toolbar,
  2. Select Certificates > Yours from the menu on the left,
  3. Select Import,
  4. You will then be prompted to give the password you will use to protect your e-Cert,
  5. Locate your e-Cert from the floppy disk or other medium used to back up your e-Cert (it should have a .p12 extension). Highlight it and click Open,
  6. Enter your transport password and click OK.

To import your e-Cert into Internet Explorer :

  1. In your Internet Explorer browser, Click Tools in the pull down menu and select Internet Options.
  2. In the Internet Options window that pops up, click on the tab Content and select Certificates.
  3. Select the Personal tab and Click on Import button.
  4. The Certificate Manager Import Wizard pops up. Read the information provided therein and click on Next button.
  5. You have to select the file to be imported. Click on Browse button and select the location and filename to be imported. If you are importing PKCS#12 certificate file produced by e-Cert Central Key Generation, or exported from other applications which use .P12 file extension, you need to click the Browse button, change the Files of type to All Files (*.*) in the Open window and then select the required .P12 file.
  6. Click Next button. The system will then prompt you to enter the password. The password used while exporting the file has to be used here. Check on box Enable strong private